Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3575521pxj; Mon, 21 Jun 2021 01:41:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzknLsBs0NMgduc2gKwvgGaNj3R3rY8oav2pwkzyJKApNew6w8jiF7lqzz2oFKpR7cn1EA/ X-Received: by 2002:a6b:ef07:: with SMTP id k7mr19673871ioh.16.1624264876734; Mon, 21 Jun 2021 01:41:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624264876; cv=none; d=google.com; s=arc-20160816; b=zezrWnWsRCNGKZhO62ijQbmIZSFM1Hj9We9/eM6Y8Oo0mAdimUI/3RYdxPJ3/gu8+m CeRi9Obfk1c4RR3tRO3MDIqDPfjXaYoPmfvxIJmalEXXIRO6Z+xuq+Kr2VJu6IBwdhZX IGFJYqjrkDRlcfLLbfx8Os5T3jJAA0Lal09WIlyxb+3gIortOLN9Dl+6iwzlXJzBnL+N LeBvtok8xH7LmC86iAYlWun5eG6SY2BHt5SRo5Gzo/4XaBw0HnmGdK657QZd6D6YVMvp +F6V4sSNaTASnkvOujtkAvePSKVjuKPXo8EykdF2Yjn15Zw3uZxdOThVBFwTUT6DCClM abvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=tATe2CRsaUoSdGc1kB1IChYdoNFk2Xactla3rNn8ItU=; b=jbhn5ZmOkzoSn1OT2dtz076MxuozmtVqHhW3m/RqdgPv6AjLtC+rQQcVuBOzsF1gt6 pV7/emqaR956gIEKWs9/s2y4vxSHz/etR3A1qGwbrJ13ALNOs42ji2wlefdU2e4T0PL4 aIXV7QDhXWe1L6IdvIv73X851Gi2w6wtN1fpzgG0UrHwujFJM041yM1tQsEcEyijruWr Ol72Opt5ZSRvAXjCSNz4WKWKjwBwnUhO3lZG4JfiUi6XYZTArfW1OS9MMRzbHIQDKZSK JL8+vqo4Ao3ZYgEbuswe779x4u4p/C2qQMEF7ExLBX8G/KQ0OTlAa1jXVsTfaeVqkjxr ZPyQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=B0ZNVGiC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a8si12008370ilt.107.2021.06.21.01.41.04; Mon, 21 Jun 2021 01:41:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=B0ZNVGiC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230292AbhFUImF (ORCPT + 99 others); Mon, 21 Jun 2021 04:42:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:37566 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230137AbhFUImF (ORCPT ); Mon, 21 Jun 2021 04:42:05 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 21AD960FD8; Mon, 21 Jun 2021 08:39:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1624264790; bh=9kzzjefyjneTAiDNZ6xrBap47Es23Ehns4z0lVHvvyo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=B0ZNVGiCdQk72cDAT0sY80V4RF75JKQJODenJ3qhKj3Es1Ur+CWCQXc3H2RrM/08K tzZLB7QLoVTE9LaAsFLYvzhr+QND1EXCDRb0KjWRZerOjZnQomnbDeveKDVF/gcLUR 2GsKYMbVy5mR9YV5ZAocfb6ZiCzg+41A0OH/EX/0= Date: Mon, 21 Jun 2021 10:39:48 +0200 From: Greg KH To: Shunsuke Mie Cc: kishon@ti.com, lorenzo.pieralisi@arm.com, bhelgaas@google.com, linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH] PCI: endpoint: Fix use after free in pci_epf_remove_cfs() Message-ID: References: <20210621070058.37682-1-mie@igel.co.jp> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210621070058.37682-1-mie@igel.co.jp> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 21, 2021 at 04:00:58PM +0900, Shunsuke Mie wrote: > All of entries are freed in a loop, however, the freed entry is accessed > by list_del() after the loop. > > When epf driver that includes pci-epf-test unload, the pci_epf_remove_cfs() > is called, and occurred the use after free. Therefore, kernel panics > randomly after or while the module unloading. > > I tested this patch with r8a77951-Salvator-xs boards. > > Fixes: ef1433f ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry") > Signed-off-by: Shunsuke Mie > --- > drivers/pci/endpoint/pci-epf-core.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read: https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html for how to do this properly.